Tag: Wisconsin Elections Commission

If votes are misprinted on the ballots, election officials don’t want to know

by

January 10, 2021

3:30 am

Comments Off on If votes are misprinted on the ballots, election officials don’t want to know

Uncategorized

, , , ,

In brief: During the past nine years as I’ve advocated for better security for voting machines and the vote-tabulation process, I’ve observed a reflexive resistance by election officials to any suggestions for improvement. On matters relating to the voter-registration system, where federal pressure has been greater, they are reasonable. But when it comes to counting votes, they listen only to each other and to voting-machine vendors, and ignore authorities and cybersecurity experts. They seem particularly deaf to any suggestions from voters regarding security safeguards.

I’m testing that observation now, with a safeguard that is, undeniably, a no-brainer. The City of Madison currently puts thousands of early voters’ ballots at risk by neglecting a safeguard that is effective, easy, not controversial, very low cost, has no substitute, and is unanimously recommended by authorities. Madison could largely implement this safeguard with one memo to its poll workers. Will Madison even consider it? Will WEC even consider ordering it? I don’t know yet. This blog post explains the issue and my effort so far. I’ll update it as events unfold.

BMDs (ballot-marking devices) are computers that mark ballots for voters who cannot, or who are not allowed to, mark their ballots with pens.

Using computers to mark the ballots necessarily introduces some risks: Computers can be misprogrammed, and printers can malfunction. So there is always a possibility that votes might be omitted from the printed ballots; the wrong votes recorded; and that ballots could be misprinted in a way that makes the votes illegible to the computers that will count them (the ‘tabulators’).

There is a simple, cheap safeguard: Before each ballot is cast, review it to make sure it was printed correctly. That’s called ‘verification.’ Only the voter can verify because no one else knows what votes were supposed to be printed.

However, voters don’t verify unless they are instructed to do so. And in some cases (when the votes are printed in barcodes), voters need access to a barcode reader, and need to be told how to use it. It sounds complicated, but typically takes less than a minute.

It’s obviously careless to let computers print thousands of votes with no one checking to make sure they are printing them correctly. So I’m sure you won’t be surprised when I tell you that every professional election authority, plus the voting-machine manufacturers themselves, recommend routine voter verification.

But that’s not what Wisconsin does.

(Note: In an earlier post, this blog inventoried the pros and cons of general use of BMDs. This post will focus only on their management once a city has decided to put them into general use, not the overall wisdom of doing away with hand-marked ballots.)

WHY DO WE NEED VOTER VERIFICATION?

The problems we need to watch out for are:

  • votes that aren’t recorded at all;
  • votes that are recorded for the wrong candidate; and
  • votes that are recorded in ways the tabulator cannot understand.

When voters use pens, these problems either don’t exist or are easily corrected. When a pen fails to record a vote, the voter tells the poll worker “This pen is out of ink,” and the problem is fixed before it ruins any ballots. If when a voter touched their pen to one oval, a different oval turned black, that would be magic, not malfunction, and we don’t need to worry about it.

Voters using pens sometimes record votes the tabulators cannot read, for example by circling the candidate’s name instead of filling in the oval. But that problem cannot systemically ruin hundreds of ballots. In fact, only a tiny fraction of ballots are mismarked so badly modern tabulators cannot read them. In addition, the voter’s selection is usually obvious to a human recounter or auditor, and so not a problem even in close contests.

But when voters select their votes from a touchscreen and a computer prints the paper ballot, voters must make an extra effort to notice any problems while they still have an opportunity to fix them.

Wisconsin’s early voters, in particular, need to make this effort because they will not be present to mark a new ballot if their ballot is rejected by the tabulator. And because early ballots are not cast for days or even weeks after they are printed, misprinting BMDs could ruin thousands of ballots before the problem is noticed unless the early voters verify.

When only a small percentage of ballots are printed by BMDs, problems are less likely. BMDs used by only a few voters are not an attractive target for hackers. But heavily used BMDs are at greater risk of both hacking and malfunction, and voter verification becomes essential. If no one notices when a heavily-used BMD starts misprinting ballots, an election could be seriously disrupted or even ruined.

Therefore, when a city replaces its ballot-marking pens with ballot-marking computers for large numbers of its voters, it needs to add the step of voter verification to its polling-place procedures.

HOW IS VOTER VERIFICATION DONE?

When security-minded election officials use BMDs, they set up a ‘verification station’ near the BMD. As the voters carry their ballots from the printer to the table or machine where they will submit them, a poll worker invites each voter to pause, read the ballot, and tell the poll worker if it accurately recorded their selections.

Some BMDs print ballots on which the votes are encoded so that the voters cannot read them. (See an example below.) When votes are encoded, the verification station must be equipped with a reader, so that the ballot can be quickly inserted and the encoded votes displayed to the voter. (Yes, everyone knows the voter will still be unable to verify that what the barcode reader is telling them is truly what the barcodes say. But using the reader might catch at least printer flaws that could make the encoded votes unreadable. It’s better than no verification at all.)

Polling places with these procedures can successfully get most, or even all, of the voters to review their BMD ballots.

If at the end of their shift, the poll worker then signs an affidavit that they observed the voters verifying the ballots, the computer-generated ballots can be accepted as reliable evidence of the voters’ selections in even the most professionally conducted audits and recounts.

WHAT DO MADISON AND MILWAUKEE DO?

In November 2020, election-security advocates around the nation were worried about Wisconsin. Mark Shipley, an activist from California, came to Wisconsin shortly before the election to help out with any election-security efforts that voters might be doing here.

As early voting started, I told him what I’d been told: that Madison and Milwaukee normally use a barcoding BMD, the ExpressVote, in early voting but were not going to use it in November’s election because of pandemic worries related to touchscreens.

But after one day of observing in Milwaukee, he told me I was wrong. Not only were all the early voters using the barcoding BMDs, not a one had verified their ballot. I quickly called Madison and found they were using the BMDs, too.

So Mark and I met in Milwaukee to observe at two more polling places. It was as he’d reported. We spoke with the person in charge at each location. Not only were the poll workers failing to instruct voters about verification, no one had instructed the poll workers themselves about either the ballots or verification.

The next day, I observed at four polling places in Madison, and saw even worse. In some locations, poll workers were standing beside the BMD, pulling the ballot out of the printer before the voter could, and folding it before handing it to the voter, in a way that assertively prevented the voter from seeing their own ballot.

This is a sample ballot from a Georgia election, generated by the type of machine used in Madison and Milwaukee early voting. When the tabulator counts this ballot, it will look at only the barcodes, where (we hope) votes that match those printed as text are encoded. Notice that one of these barcodes is flawed, and may or may not be readable by the tabulator. The voter will be able to detect this by inserting the ballot into a barcode reader before submitting it.
Also, as an exercise in understanding the challenges of this type of BMD ballot, do you think you would be able to verify each of the last eleven votes if this was your ballot? What were Constitutional Amendments 3 and 4, anyway? Does this ballot record a ‘no selection made’ for the right one?

In Madison, I was able to chat with more poll workers, including those in charge, during lulls in the action. All told me the same thing: They had never been instructed about the need for voter verification and they did not know what the barcodes were for. A few didn’t even know there were barcodes on the ballots. None knew how a voter could check to make sure the barcodes were readable, so if a voter had asked, they wouldn’t have been able to answer. (The ExpressVote has a built-in barcode reader; the voter just re-inserts the printed ballot.)

I saw a few voters who glanced at their ballots before folding them and as they left, I asked what they had been looking for. They told me they were looking to make sure it was the ballot, and for ‘fold here’ instructions. None had checked whether all their votes had been recorded or whether any had been recorded incorrectly.

Failing to tell BMD-using voters about verification is a violation of even elementary safeguards when using the machines. When I described what I’d witnessed to a national Zoom conference shortly after the election, I could see the other participants’ jaws drop. Outside Wisconsin, officials understand the need for voter verification.

SO WHAT’S TO BE DONE?

Mark and I compared notes over the next few days, and I filed a formal complaint with the Wisconsin Elections Commission. Only I signed the complaint because Mark lives in California. The complaint focuses only on Madison’s practices, for two reasons:

  • Our notes were more detailed from the second day of our observation and therefore, in my opinion, a better foundation for a formal complaint, and
  • I had corresponded with Madison election officials several times in the past few years regarding their use of BMDs, but had never written to Milwaukee. Therefore, I knew Madison officials were knowingly ignoring the dangers because I myself had informed them. In contrast, I realized Milwaukee officials might still be naive, and a formal complaint didn’t seem to me to be the right way to start to educate them.

I didn’t want to file the complaint so close to Election Day, knowing the problem couldn’t be fixed in time to protect any of the early ballots and that the officials were busy. But I went ahead and filed it promptly anyway, because I hate it when people wait until after they know who won to complain about election practices. So, apparently, do the courts.

My complaint requested that in future elections Madison implement these common-sense and expert-recommended safeguards:

  • Give voters the option of hand-marking their own paper ballots, which could most easily be done by purchasing a blank-ballot printer for each early voting location. These machines can print ballots appropriate for any ward in the city, but allow the voters to record their own votes, AND
  • For those voters who choose to use the BMD, have poll workers inform them about the barcodes, instruct them to read the human-readable text after their ballot is printed to make sure it’s correct, and encourage each voter to use the barcode reader to verify as much as they can.

The City’s response was written by City Attorney Michael Haas (formerly administrator at the WEC) on behalf of City Clerk Maribeth Witzel-Behl. They did not deny anything we had observed, and did not offer any reason why they believe it’s a good practice to keep poll workers and voters in the dark about verification and barcodes.

Instead, the response can be summarized: “You’re right. We don’t train our poll workers about the ExpressVote ballots or to answer questions about them. The State approved the ExpressVote for use in Wisconsin, so we can use it any way we want. We do other safeguards that statutes require of us, but because the State doesn’t explicitly require us to enable voter verification, we don’t.”

The next step for me was to submit my comment on Madison’s response, which I did. I addressed my remarks to the Commissioners because I’ve heard them have a sensible discussion about the issue, while the Madison officials don’t seem to understand either the problem or the solution. For example, they seem to believe that telling voters about a barcode reader supplied by the manufacturer specifically for the voters’ use requires “in-depth familiarity with the inner workings of the equipment.”

I’m not sure what’s next. I haven’t been notified of any specific timeline for resolution. But there’s no urgency. The next election is about a month away (February 16), and Madison could mostly correct the problem with a memo to its poll workers. The memo would tell them about the barcodes and tell them to instruct each BMD-using voter to read the human-readable votes printed on their ballot and to re-insert the ballot so that the machine can confirm the barcodes are readable. Other steps, such as giving voters the option of hand-marked paper ballots, will take longer.

I don’t know if the whole Commission will discuss the issue in an open meeting, or when that would be scheduled if they did. I’ve never seen them discuss complaints in open meetings. I haven’t received an invitation yet, or any indication they will invite me, the complainant, to come talk to them (not that I expect one — speaking directly with the voters is not their style).

Milwaukee and Madison voters: It will help if you contact your city election clerks and tell them you want them, at a minimum, to educate their poll workers and voters about the barcoding BMDs and to introduce polling-place procedures that enable BMD-using voters to verify their ballots. Madison: 608-266-4601; Milwaukee: 414-286-3491.

Voters who live in other cities should call their municipal clerk to ask about local use of BMDs (the two most common are called ‘ExpressVote’ and “ImageCast Evolution”, or ICE) and about whether or how they instruct voters to verify their computer-generated ballots.

If any Wisconsin voters want to organize any stronger actions, I can consult with you. Email me at kmk@wisconsinelectionintegrity.org.

Verifying a statewide election could be this easy and cheap.

by

November 9, 2019

9:27 pm

Comments Off on Verifying a statewide election could be this easy and cheap.

Uncategorized

, , ,

Photo: Michigan election officials assess the results of a manual count of a sample of ballots for a risk-limiting audit in 2018. Photo credit: Berkeley Institute for Data Science, UC-Berkeley

Think of “risk-limiting audits” as low-effort exit polls.

Exit polls determine who won by asking randomly selected voters “Who did you vote for?” Risk-limiting audits work on the same principle to confirm the correct winners, but they do not involve talking to voters. Instead, RLAs pose the question directly to randomly selected paper ballots.

Either way, a small sample can provide statistical proof of who really won the election, independently of the vote-counting computers.

No one in Wisconsin now does risk-limiting audits. Sometimes local officials spot-check a few randomly selected voting machines, but to any sensible risk manager’s horror, none have any specific plans for what they will do if any of those random voting-machine audits ever detects a serious miscount. Risk-limiting audits, in contrast, always resolve any problems they detect.

The Wisconsin Elections Commission has shown some mild interest in the possibility of using outcome-verifying audits to secure our elections. Every sensible Wisconsin voter should be pressuring them to do more. Here is the memo I submitted to WEC in December 2019, to help them understand how very practical this effective safeguard could be.

There’s no one correct way to do a risk-limiting audit. Our election officials could sample individual ballots (less work) or entire polling places (more work). They could do nothing more than confirm the correct winner in one race (less work) or they could answer other questions at the same time (more work).

A risk-limiting audit of a statewide election in Wisconsin could be this easy and cheap:

1) After they close the polls on Election Night, poll workers would record how many ballots they seal into each bag. Using this information, the municipal clerk would create a “ballot manifest” (e.g., City of Abbotsford: Bag #1 – 234 ballots; Bag #2 – 122 ballots).

It’s unlikely anyone has ever counted, but a fair guess is that a big election produces around 4,750-5,000 sealed ballot bags statewide. One bag can contain a maximum of around 300 ballots but might contain fewer than 10.

2) The day after the election, every municipal clerk would send their ballot manifest to the Wisconsin Elections Commission. The WEC could create an online reporting form to make this task easy and quick. It wouldn’t need bullet-proof security if the municipal clerk also mailed a hard copy of the manifest to WEC, and WEC staff later verified them against each other.

3) The WEC would then assign a number to every ballot in the state. For example, ballot numbers 1-234 would be assigned to the first bag from the City of Abbotsford; numbers 235-356 to the second bag, all the way up to the last bag from the Town of Yuba, which might be assigned the numbers 2,673,149 – 2,673,308.

4) WEC staff would examine the preliminary election results for the statewide races and enter the results for the closest race into a statistical tool that has been endorsed by the American Statistical Association, tested, and used in other states. This would generate a sample size for the audit.

The size of the sample depends upon the Election-Night margin of victory. If the margin is large or normal, the sample size will be small. For example, the 2018 contest for the US Senate was neither close nor a landslide: 55.4% to 44.5%. A risk-limiting audit of that race would have needed an initial sample size of only 401 ballots across the entire state. However, officials could choose to select a larger sample to provide voters with ’emotional’ confidence in addition to statistical confidence.

An extremely close election such as the 2018 Governor’s race (49.5% to 48.4%) would have needed an initial sample of 37,841 ballots (out of almost 2.7 million cast). But it’s these races that officials legitimately need to be most careful about, and it’s the very close races that, when left unaudited, provoke the most candidate resentment and voter suspicion.

Wisconsin election officials have already demonstrated they can handle larger sample sizes. For comparison, the voting-machine spot-checks conducted after the November 2018 election required officials to count votes from 135,712 ballots — more than 3.5 times the number of ballots they would have needed for a risk-limiting audit. But because of the way WEC selected that sample and their instructions that auditors ignore voter intent, that effort did not confirm the correct winner in any race.

Wisconsin election officials counted 135,712 ballots in the random voting-machine spot-checks after the November 2018 election, but used a method that did not confirm the winner in any race.
A risk-limiting audit of the same election would likely have verified the correct winners in the statewide races with only 37,841 ballots.

And because races from the same ballot (as those two races were) do not need separate samples, a risk-limiting audit could have verified all the statewide contests on the ballot in that election–an accomplishment of enormous value to election security and voter confidence.

5) WEC would randomly select ballot numbers and then use the statewide ballot manifest to identify the bag in which each of the selected ballots is stored. For example, if ballot #284 turned up in the random sample, the WEC would know it is in the second bag from the City of Abbotsford. If the random selection turned up ballot #2,673,193, they would know it is in the last bag from the Town of Yuba.

6) At this point, WEC could ignore the hypothetical numbers they assigned to each ballot and tell the municipal clerks only the number of ballots to be randomly selected from each bag.
For example, the WEC would tell the City of Abbotsford clerk to randomly select one ballot from the second bag. The instructions for random selection could be something like: “In the presence of observers, pull the ballots out of the bag, set them in a stack on the table, let an observer from each political party cut the stack several times like a deck of cards, cut the stack two more times, and select the ballot at the bottom of the last cut.”
Other methods could be prescribed for jurisdictions that use machines that print flimsier forms of paper ballots.

7) The municipal clerk would display the selected ballot to the observers; fax it to the WEC; mark it with red ink indicating it was the ballot selected for the audit; put it on the top of the stack of ballots; and reseal the bag.

8) The WEC would conduct a publicly observed manual count of the faxed ballots and enter the results of that count into the standard risk-limiting audit formulas. If the proportion of votes for the Election-Night winner in the manual count is close enough to the proportion reported on Election Night, the result is confirmed. The audit would be concluded and the county canvasses could conduct their certification process as normal.

If the proportion of votes for the Election-Night winner differed too much, an additional sample would be drawn and counted. That process would be repeated until statistical confidence in a winner was established.
The WEC would need to adopt policies to govern what will happen in the rare event that the sample has to be expanded more than twice, or if the confidence level declines as the sample is enlarged. Likely, WEC would stop the audit, declare a lack of confidence in the preliminary Election-Night results, and order a full recount on its own initiative.

Other states’ election officials think their voters’ right to self-government through secure elections is worth at least that much time and effort.

If you think Wisconsin elections are worth the effort it takes to conduct a genuine risk-limiting audit, contact your county clerk and the Wisconsin Elections Commission to tell them so.

Wisconsin’s Election Security Council sees the gorilla.

by

October 17, 2019

5:51 am

Comments Off on Wisconsin’s Election Security Council sees the gorilla.

Uncategorized

,

The first meeting of the Wisconsin Elections Commission’s new Election Security Council was both reassuring and scary.

First, the good news. I’m genuinely not sure whether WEC created the council more to promote belief in security or to promote security itself. But whatever WEC’s intention, the members of the new council are there to promote security.

They uniformly exhibited a desire for actual security. Understandably, they showed some legitimate interest in appearances, but their primary concern seemed to be for real security.

Hang on to that idea as I describe the bad news. I do think intention matters.

The second piece of good news is that the members did not seem to share—even slightly—WEC’s hesitance to include voters on the council. (See note at the end of this post.)

A bit of background: the state election agency’s longstanding attitude toward citizen participation is not normal. After 30 years working as a state bureaucrat in three agencies and auditing dozens of others for the legislature, I know “normal.” Even agencies running unpopular programs like septic-tank regulation or state-forest timber harvest seek citizen participation as a routine matter of course.

In contrast, the WEC runs a popular function—people like elections—and yet they hide under their desks when someone mentions voter participation. I’ve never understood why; it makes no sense. I sincerely think that, overall, their objectives are in line with those of the voters.

Fortunately, the council members know normal. When WEC administrator Meagan Wolfe asked whether they wanted to add voter representatives to the council, the members’ brief discussion can be summarized: “Well, duh.”

The representative from the Wisconsin Counties Association, whose name I didn’t catch, pointed out that legislative advisory councils routinely include representatives from citizen groups. Then, after Wolfe said she would bring a detailed proposal for selecting voter representatives to the next meeting, Governor Evers’ representative, Jenny Dye, said that would be too late. The council’s work was “already short on public input,” she said, and it wouldn’t do to have the public members miss the first two meetings. WEC agreed to work out the details and get voters’ representatives to the table by the council’s December meeting.

Okay, now the bad news.

The level of naivete in the room was frightening. Among the utterances that made me shudder:

  • In the limited discussion of specific threats to election security, I heard reference only to external hackers. I detected no awareness that insider corruption (e.g., a rogue employee of a voting-machine company) is the single greatest threat to vote-counting security—one that our election clerks have no reliable defense against. When a representative from the Wisconsin Statewide Intelligence Center listed the threats to look for, he described only external threats. Later, WEC Assistant Administrator Richard Rydecki explained to me that was because external threats are the only ones WSIC has noticed. Well … yes … that is why the other threats are more serious. Wisconsin officials don’t have any way to detect unauthorized remote-control software in the county election-management computers or dicey Serbian programmers working for Dominion.
  • Hearing Mike Davis from the League of Wisconsin Municipalities open his question with “I don’t know much about elections administration, but…” Yikes! Municipalities run Wisconsin’s elections! (On the other hand: his ‘but…’ led into a question about what we do with our paper ballots—displaying that he has good intuitive sense about how we could be securing our elections from that rogue programmer or service technician.)

Ignorance doesn’t have to be a problem. No one was born knowing this stuff. They can learn.

However, WEC’s conduct of the meeting gave me some concern that the council members will not get the education they need.

Put it this way: If you convened a new council to get advice on election security, how would you have opened the first meeting? If it had been me, I would have started by describing the basic elements of a secure election system. Then, I would have given the council a quick overview of Wisconsin’s strengths and weaknesses vis-a-vis these elements–which are covered, and where are the weak spots or holes?

Instead, WEC staff presented a rosy overview of all the good things. When they were done, I’m guessing some council members were wondering why they were there, given that things are already as good as can be.

Wolfe wasn’t making stuff up–a lot of good security measures are already working. She was leaving stuff out—specifically, stuff relating to voting machines.

One fact is critical to understanding election security: Two separate systems must be secured. (See the chart below). These two systems have practically no overlap. They have different creators and different owners. They operate on different computers, managed by different agencies. They face different threats and require different safeguards.

WisVote–the voter-registration system–is secure, thanks to the good, hard work of the state elections agency. I wouldn’t trade our voter-registration system for any other in the nation.

Security for the vote-tabulation system–that is, our voting machines–is closer to an honor system.

Yet Wolfe danced over the tabulation system so lightly I’m not even sure she said the words “voting machine.” For example, one of her Powerpoint slides listed the steps in an “End-to-end Election Administration System.” The list went right from “prepare the poll lists” to “report results to the State.” I wonder whether any of the council members noticed the missing step: “Count the votes.”

I’ve seen this tunnel-vision focus on WisVote security from WEC staff many times before. Whenever they are asked about “election security” (with or without specific reference to voting machines), they respond by describing safeguards that protect only the WisVote system. Dozens of reporters have failed to notice.

But for some reason, I didn’t expect it to be on full display in the meeting today. Perhaps I was thinking that creating an advisory council was something like going to a therapist. You want help, right? So be honest about the problems that bring you there.

(Spoiler alert. If you’ve never taken the selective perception test where you watch a brief video and count the number of times a white-shirted team passes a basketball, do that before reading further. I don’t want to spoil anyone’s opportunity to experience this phenomenon firsthand.)

I’m not a mind reader and so cannot say how much of this relentless tunnel vision on WisVote security is strategic, and how much stems from the fact that tabulation-system security is simply not the WEC’s job.

But as I listened, I started to see WisVote as WEC’s white-shirted basketball team. They are so intently focused on it—absolutely, fully engrossed—that they cannot see the gorilla that is the tabulation system.

Here’s my best hope, and I think it’s a real possibility: I think this council might be able to provide WEC staff with more guidance and education than they realize they need.

After WEC staff had shared all the lovely information about WisVote security, they turned the microphone over to the council members. They asked each member to say a few words about their organization and describe how they see their role in election security over time.

The county clerks went first—and promptly ignored the instructions. Instead, they immediately started to talk about voting-machine security and the fact that they are not getting the IT support they need. Then the League of Municipalities representative popped in with his question about the role of paper ballots in securing election results.

The WEC staff may not see the gorilla, but it was the first and only thing council members wanted to talk about.

In summary, this seems like a good bunch of sensible people. In addition, on my way out, I had a quick but solid discussion with Rydecki about some nuts-and-bolts details regarding the sort of risk-limiting audits that could work to secure Wisconsin election results.

So progress is underway, and I’m okay with that.

* * *

NOTE: After reading this blog post in mid-November, Assistant Administrator Richard Rydecki reached out to explain what had appeared to me to be WEC’s hesitance to include members of the voting public on the new Election Security Council. Our conversation was easy and pleasant and provides a window into WEC’s thinking about its various stakeholders.

The idea to form such a council is not new. In early 2019, the WEC created its first election-security advisory committee, limiting membership to county and municipal clerks. So in March, both Wisconsin Election Integrity and the League of Women Voters of Wisconsin publicly urged the WEC to seek election-security advice from additional stakeholders. We suggested that they either expand that committee to include public representatives (particularly those with security expertise), or to form a separate election-security advisory group with broader membership.

I cannot speak for the LWV-WI, but WEI received no response. If the WEC gave the proposal even momentary consideration, it was quickly forgotten. Rydecki made no mention of it when he explained that the idea for this new election-security advisory council arose in June, in discussion among government officials at a Department of Homeland Security training exercise.

Apparently, the officials who proposed its creation did not mention anything at the time about public members. Nevertheless, Rydecki said, WEC staff did consider how public input might be handled. Some clerks “were not terribly enthused” about having public members on the Council and might not have agreed to participate if public members were included.

One option, according to Rydecki, was that officials’ trepidation might be accommodated by allowing a short period for public comment at the beginning of each meeting, as the Elections Commission itself does.

But ‘professional courtesy’ required WEC staff to refrain from making a ‘unilateral decision’ on how or whether anyone who is not a government official would participate. So WEC formed the council exclusively with government officials and then presented it with the question of how or whether it would have public participation.

I’ll let the reader decide whether that information supports or contradicts the observations I made, above, about WEC’s attitude about citizen participation.

This is what secure tabulation looks like

by

October 15, 2019

6:19 pm

Comments Off on This is what secure tabulation looks like

Uncategorized

, , , , ,

Up to now, the Wisconsin Elections Commission’s interest in elections security has focused on the voter-registration system (WisVote), rather than the vote-tabulation system (the voting machines). When the Commission has paid attention to concerns about voting-machine security, it typically has been for only as long as it took commissioners to ask the vendors “Tell us how to refute these concerns.”

The Commission has also made a habit of limiting its own information sources. Earlier this year when they felt the need for advice on election security, they convened an Election Security Advisory Panel consisting entirely (I swear I’m not making this up) of county and municipal clerks. That was a revealing indication of the Commission’s level of interest in seeking advice from anyone else … say, disinterested IT professionals or highly interested, well-informed voters.

This image has an empty alt attribute; its file name is CAPQuote.jpg

But the Commission’s interest in voting-machine system security may be showing signs of life.

Last week, the Commission announced the formation of a new Elections Security Council of “federal, state and local partners” that will “formalize collaboration between these key groups and the public to improve communication and maximize election security.”

As usual, the Commission’s idea of “key groups” is limited to government officials. It’s possible their idea of ‘communication’ remains limited to outgoing messages to reassure voters that all is well.

Oh, well, it’s a start. Give the new council a chance to join the fight for voting-machine security. We’ll know more after their first meeting on October 16, when they will discuss whether and how they want to involve any other stakeholders.

Realistically, though, it’s possible this new council will — as the Commission itself has always done — focus its efforts exclusively on the voter registration system (WisVote) rather than voting-machine system security. Nothing in the press release specifically indicated the Commission is looking to expand its election-security efforts beyond WisVote.

Nevertheless, just in case this council represents an awakening, its members should know what a secure tabulation system would look like.

So here’s a gift to the new Elections Security Council:
A list of what would be in place if our voting-machine system was secure.

Most of the elements listed below are common sense, not rocket science. It’s just sensible, prudent management of a highly critical IT system. Some elements are present for Wisconsin. Others are missing. State and local election officials cannot create all the missing elements, which means they need to look for ways to make up for their absence.

If any members of the new council are curious to know which of these elements are in place and which are missing, multiple nationallyrespected electionsecurity authorities stand ready to share critical insights. Those experts’ interest in security is unaffected by financial interests and by any reflexive defense of the status quo.

In a secure vote-tabulation system:

Voting equipment manufacturers would…

  • Manufacture only those systems that are as secure as possible given current technology and customers’ budgets.
  • Manufacture only systems that use or produce ballots that voters have verified as accurate records of their intent, and that allow local officials to verify the votes were tabulated accurately.
  • Cooperate fully with the federal Department of Homeland Security monitoring of the companies’ own computers and security practices.
  • Cooperate fully with state and local governments’ security requirements.

The federal government would…

  • Promulgate strong, clear, and frequently updated regulations for secure, auditable voting systems, and for the independence of private testing labs.
  • Actively and rigorously apply those regulations when certifying new systems or updates.
  • Actively monitor and enforce compliance with those regulations.

The state government would…

  • Through law and regulations, implement strong security and auditability requirements for voting systems used in this state, and rigorously enforce those through certification.
  • Provide guidance and technical assistance to local governments related to voting-machine system security, so that vendors are not their customers’ only source of information and advice.
  • Adopt laws and regulations for local governments’ voting-system security practices.
  • Monitor local compliance with required voting-system security practices, and have the ability to correct poor practices.
  • Coordinate strong post-election tabulation audits, involving all the counties’ boards of canvassers, that verify the correct winners in all statewide races before certification.

County government election officials would…

  • Follow federal and state requirements for securing county elections-management system hardware and software.
  • Have professional IT staff capable of and assigned to working with the voting-system vendor on security-related matters. (If not county staff, an independent contractor who is unaffiliated with voting-machine sales and service.)
  • On Election Night, obtain electronic election records (including CVR and digital ballot images) from municipalities. Maintain strong internal control and to support voter confidence and ballot security, post digital ballot images to the internet within 24 hours of poll closing.
  • During the county canvass, use the paper ballots to verify that the computers identified the correct winners. If problems are found, correct results before certification.
  • Between elections, audit various election-security practices and take action to improve whenever any issues are found.

Municipal government election officials would…

  • Maintain year-round strong internal control of marked and unmarked ballots; other election records (e.g., CVR, digital ballot images); and voting-system hardware and software.
  • Maintain equipment according to manufacturer recommendations. Routinely and reliably inspect equipment inside and out for signs of tampering or malfunction; take action to correct any issues noted.
  • Conduct strong pre-election testing of both tabulators and ballot-marking devices; take action to correct any problems noted. Make sure all voting machines are equally reliable and operable.
  • Train election workers in how to maintain security; how to notice trouble signs; how to document and respond to trouble signs or lapses.
  • Monitor performance of elections workers to ensure that no bad habits develop, that any departures from standard procedures are quickly noted and corrected.

Voters would…

  • Volunteer to serve as poll workers and hand-counters for audits.
  • Pay attention to election security issues, getting neither too excitable nor too complacent.
  • Be willing to hold their local officials accountable for verified accurate election results.